s4x13 phew. conference is over. i was gone for 4 days, two of which were nearly entirely travel, the time flew like two days, and i'm drained like i've been gone a week. home sweet home, where 9 degrees fahrenheit is great walking weather and snow is all around. _the_course_ the RfCat class went great! there were some hitches getting machines working correctly (the most infuriating was caused by the conference-provided wifi filtering out offensive-security.com, required for installation of the pyside library on backtrack), and a couple "bugs" in the courseware that i'm ironing out now, but overall the class was a great first running. the students seemed to love it, they seemed to understand what i was teaching, and they seemed to glom on to the things i think are important for wireless hacking/reversing. i was a little concerned. less than a week before class i decided to flesh out one exercize into 20 pages because of the importance of the lessons it teaches, and it seemed too much. at the end of the course, that exercise was cited multiple times as the most valuable part of the course. yay! i'm sure i can continue to improve upon the class, but overall the people were great and the class seemed to come off well. i look forward to completing the two-day version. thank you all who came and participated! hopefully i'll be able to teach the 2-day course at blackhat in vegas... we'll see. _the_speech,_the_new_york_times,_and_power_industry_ so the talk went well. timing was about perfect, the reception seemed good, the questions were thought-provoking. oh, and the beard fit pretty well. :) the new york times blog post which followed created quite a stir in the power industry, particularly for power-meter vendors. it kinda made me laugh, kinda made me sad. that wasn't even my target audience. a few candid thoughts on these events... first off, the press is always pressured to sell media... and that coupled with their natural curiosity and desire to call out lies and problems, can lead to a bit of rough edges in reporting, and the nuance of some communication can be lost. they are also writing to millions of people, which makes it even more difficult to effectively communicate the nuance. and sometimes they get certain details just wrong. nicole perlroth of the nyt appears to be striving to do a good job reporting what's going on. i truly believe that, and that says a lot for a reporter coming from me. i lump her into the category previously occupied only by elinor mills. i'm intrigued at her being an "aspiring hacker", lol. however, nicole got a couple details wrong that i wish she hadn't, partly because i was very careful *not* to say certain things. for instance, i did make a comment about the titanic, and that we may still have rudder enough to avoid the ice-berg... however, that was not directed at the vendor i used to demonstrate hardware-hacking against. it was about a control systems environment which continues to keep valuable security research from happening through lame excuses and overpriced widgets. i stand by that statement. we *must* get to a point, and very soon, where all scada/ics equipment can handle an NMAP scan and *not* fall over, and far far more. i completely understand what's at stake. as an electricity-addict, i demand high availability of electricity. however, the lame excuses of "our environment is too complex to build a testbed" and "you can't change anything or it may break" have got to be stopped. these systems which are part of our "critical infrastructure" need to be treated as critical in a different way... and vendors pressured to make their products more robust, security tested... and utilities pressured to fix or replace devices which suck. secondly, the power industry is very knee-jerkish about "anything that can cast doubt upon the technology." i fielded several calls the next day from friends and companies in the industry. sadly, it looks like i may have cost one friend a contract to do security research... something about "if he's talking publically, what's to keep you from talking publically?" *bullshit*. the answer? i have no contractual obligations not to talk! if you hire someone to do this work, you will certainly have some nda to keep them "on your side". power folks do live in a very odd sort of environment, with both private industry concerns and governmental regulatory / funding concerns. newer smart-grid companies get the benefit of impending large purchases of their new products, so they can (if only they all would!) provide security for the 21st century (yes, some of them are that far behind). unfortunately the control systems folks don't have anything quite so new and sexy to get the replacement purchase revenue... thus they have little incentive to do security research. if your stuff cost >$1M and the only reason to replace it was because you wrote shitty code, you might be reticent to make a big deal about it too. utilities could provide such pressure, but they are stuck in a two-faced conundrum as well... their power engineers have had great success for decades using the "if it ain't broke, don't breath on it" approach... and the decision-makers haven't seen any vendor-options with good security to choose from! without the purchasing power of "the new great smart-blah" and po's for 100,000 units, they feel powerless to push the vendors to improve. so what the fuck? who can do anything? it's gridlock... it's the titanic. so yes, they react very poorly to anything that causes negative view from the press. however, we're stuck in a tight spot. some AMI vendors seem to have figured a lot of this out. silver spring networks is one of the latest, as they have been regularly engaging security testing from skilled folk for about a year now. others who seem to get the problem include Itron and Elster. they are grokking the importance of continued vigilance, and have been working with reputable hackers to keep improving. many utilities also seem to get this. even some scada folk get the importance, and are working with security researchers to learn and deal with the problems... however we need to keep rethinking about the problem, breaking bad assumptions and teaching the details of exploitation so that we have a hope of doing something beneficial about it. lots of time and money spent will not fix this... only with the understanding of exploitation will any of this money and effort benefit us. the purpose of my talk was to: * teach what kinds of things are possible and penetrate the "black box" nature of lower-level hardware-hacking * empower the audience to break through the poor assumptions that come from lack of understanding * encourage control systems folks to build strong, multi-layered security with ways to identify, thwart, and react to attacks * drive all involved to question what they are told... and prove it for themselves... to take responsibility and test. in the end, i hope that the power industry gets less reactionary and more proactive... and more able to deal with the heat and pressure of their current circumstances, i hope the media will get less inciteful and work with the power folks and researchers in a way that conveys a better message, and i hope that we can turn the titanic before it's too late. hack fun! @